From 041801db5c2b8e730d0835027e6455ef2bc64400 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Sun, 11 Feb 2024 10:24:07 +1300 Subject: [PATCH] Improve GHSA-78xj-cgh5-2h22 --- .../GHSA-78xj-cgh5-2h22.json | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json b/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json index 446b620560ff4..c99e71d2682b2 100644 --- a/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json +++ b/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-78xj-cgh5-2h22", - "modified": "2024-02-09T15:12:06Z", + "modified": "2024-02-09T15:12:07Z", "published": "2024-02-08T18:30:39Z", "aliases": [ "CVE-2023-42282" ], "summary": "NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks", - "details": "An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.", + "details": "An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.", "severity": [ ], @@ -30,6 +30,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "npm", + "name": "ip" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "2.0.0" + } + ] + } + ] } ], "references": [